YAML: Replace ip_allow.config with ip_allow.yaml.

FreelancerNaushed · Aug 5, 2019 · 9db871a · 9db871a
1 parent 9808a98
commit 9db871a
Show file tree

Hide file tree

Showing 17 changed files with 664 additions and 168 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -32,6 +32,7 @@ include_directories(
         include
         tests/include
         lib
+        lib/yamlcpp/include
         proxy
         proxy/hdrs
         proxy/http

diff --git a/ci/rat-regex.txt b/ci/rat-regex.txt
@@ -67,3 +67,4 @@ port\.h
 ^catch[.]hpp$
 ^configuru.hpp$
 ^yamlcpp$
+^tests/gold_tests/autest-site/min_cfg$
diff --git a/configs/Makefile.am b/configs/Makefile.am
@@ -29,7 +29,7 @@ nodist_sysconf_DATA = \
 dist_sysconf_DATA =	\
 	cache.config.default \
 	hosting.config.default \
-	ip_allow.config.default \
+	ip_allow.yaml.default \
 	logging.yaml.default \
 	parent.config.default \
 	plugin.config.default \

diff --git a/configs/ip_allow.config.default b/configs/ip_allow.config.default
diff --git a/configs/ip_allow.schema.json b/configs/ip_allow.schema.json
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://github.com/apache/trafficserver/tree/master/configs/ip_allow.schema.json",
+  "title": "Traffic Server IP Allow Configuration",
+  "description": "IP ACL configuration file structure. Licensed under Apache V2 https://www.apache.org/licenses/LICENSE-2.0",
+  "type": "object",
+  "properties": {
+    "version": {
+      "type": "string",
+      "description": "Configuration format version."
+    },
+    "ip_addr_acl": {
+      "description": "Root tag for IP address ACL configuration",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/rule"
+      }
+    }
+  },
+  "required": [ "ip_addr_acl" ],
+  "definitions": {
+    "range": {
+      "description": "A range of IP addresses in a single family.",
+      "type": "string"
+    },
+    "action": {
+      "description": "Enforcement action.",
+      "type": "string",
+      "enum": [ "allow", "deny" ]
+    },
+    "methods": {
+      "description": "Methods to check.",
+      "oneOf": [
+        {
+          "type": "string",
+          "description": "Method name"
+        },
+        {
+          "type": "array",
+          "description": "List of method names.",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "description": "Method name"
+          }
+        }
+      ]
+    },
+    "rule": {
+      "description": "Connection ACL.",
+      "type": "object",
+      "properties": {
+        "apply": {
+          "description": "Where to apply the rule, inbound or outbound.",
+          "type": "string",
+          "enum": [ "in", "out" ]
+        },
+        "ip_addrs": {
+          "oneOf": [
+            {
+              "$ref": "#/definitions/range"
+            },
+            {
+              "type": "array",
+              "minItems": 1,
+              "items": {
+                "$ref": "#/definitions/range"
+              }
+            }
+          ]
+        },
+        "action": {
+          "$ref": "#/definitions/action"
+        },
+        "methods": {
+          "$ref": "#/definitions/methods"
+        }
+      },
+      "required": [ "apply", "ip_addrs", "action" ]
+    }
+  }
+}
diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
@@ -0,0 +1,50 @@
+# YAML
+#
+# ip_allow.config
+#
+# Documentation:
+#    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ip_allow.config.en.html
+#
+# Rules:
+# Each rule is a mapping, with the tags
+#
+#   apply: Either "in" or "out" to apply to inbound and outbound connections respectively.
+#   ip_addrs: IP address ranges, either a single range or a list of ranges.
+#   action: "allow" or "deny"
+#   methods: A method name or sequence of method names. Available methods: GET, CONNECT, DELETE,
+#            HEAD, OPTIONS, POST, PURGE, PUT, TRACE, PUSH. The special name "ALL" indicates all
+#            methods and it overrides any other methods.
+#
+# A rule must have either "src" or "dst" to indicate if the IP addresses apply to inbound connections
+# or outbound connections.
+#
+# The top level tag 'ip_addr_acl' identifies the rule items. Its value must be a rule item or a
+# sequence of rule items.
+#
+# Rules are applied in the order listed starting from the top.
+# That means you generally want to append your rules after the ones listed here.
+#
+# Allow anything on localhost, limit destructive methods elsewhere.
+ip_addr_acl:
+  - apply: in
+    ip_addrs: 127.0.0.1
+    action: allow
+    methods: ALL
+  - apply: in
+    ip_addrs: ::1
+    action: allow
+    methods: ALL
+  - apply: in
+    ip_addrs: 0/0
+    action: deny
+    methods:
+      - PURGE
+      - PUSH
+      - DELETE
+  - apply: in
+    ip_addrs: ::/0
+    action: deny
+    methods:
+      - PURGE
+      - PUSH
+      - DELETE